Installation and security of Microsoft Office XP intelligent tags
Microsoft Corporation
October 2001
Applicable to: Microsoft® Office XP
Summary: This article describes the installation and security of Microsoft Office XP intelligent tags.
table of Contents
Introduction Installation and Deployment Update Smart Tag Security Considering Trust Chart Confidentiality Considering Intelligent Markers Persistent Recipients Other Consideration Best Program Summary
Introduction
Microsoft has released an exciting new technology in Microsoft® Office XP, called "Smart Mark". Intelligent tagging technology in Office XP is an extensible application programming interface (API) that can dynamically identify user input in real time, and provide a set of corresponding user operations based on input and identifying text. A typical case is that the user is typed in a document containing related job information. The content of the document may include the name, financial information, address, or any related business data of the business partner. User organizations can dynamically identify data using intelligent tags and provide corresponding user operations. When the user opens the document, the relevant data will have a small downward line. At this point, the user can place the cursor on the text to display a smart tag operation.
Most organizations are very cautious when introducing an executable code into their computing environment. All cases that may perform malicious code are considered serious security risks. The design of intelligent markers take into account these security issues. Although the intelligent marker is running within the document, the actual code does not transmit when the document is transmitted by email. To make the smart tag can be performed normally, install and register on a computer using a smart tag. Intelligent markers take advantage of existing security technologies and programs, such as code signatures and certificates. In addition, single-machine users or network administrators can also take many security measures and settings, so that which code can be performed in their environment.
Installation and deployment
Each smart tag is composed of a "identifier" and a "operation" component, each of which is the component object model (COM) DLL. In addition, the document containing the smart mark will contain one or more XML data islands, which are used to identify the text of the intelligent tag that can be identified.
Because the smart tag is composed of COM DLL, the code does not really transfer with documentation. That is, the malicious code cannot be transmitted using a smart tag. Moreover, smart tag users can also obtain all the benefits of security measures applied to all COM DLLs. To install a smart tag in your computer, you must install and register the code. Typically, the Web-based download package can be installed. Organizations can also sign the COM DLL through a certificate authority to ensure that users and administrators understand the content installed in the specified computer.
installation
Installing the smart tag is the same as the method where any COM DLL is installed. First copy your smart tag to your local computer, then use the registration program (such as regsvr32.exe) to register, you must restart Microsoft Office XP. You can use the Visual Studio® installer to create a smart tag installation package to help complete this process, which is a good way. For more information on using the Visual Studio installer to create a smart tag installation package, see "Smart Tag SDK" in MSDN® Online Office Developer Center.
After installing the smart tag DLL, you must write its location to the registry.
As part of Office XP, the smart tag "identifier" is registered in the / HKCU / Software / Microsoft / Office / Common / Smart Tag / Recognizer Registry folder.
Smart Tag "Operation" is registered in the / HKCU / Software / Microsoft / Office / Common / Smart Tag / ActionS Registry folder.
Custom smart tags must also be registered in the same location, and the method creates a new registration key at the correct location. The new key value must be the class ID number (CLSID) of the identifier and operational DLL. Therefore, when the Office XP queries a list of installed smart tags in the registry, all custom smart tags of CLSID and related intelligent tag DLL are found. deploy
Any standard deployment method currently used for COM objects is also applicable to the deployment of intelligent tags. The use of the policy template can automatically deploy smart tags. For more information on using the Policy Template, see Office Resource Kit (ORK). You can also use system management products such as Microsoft Systems Management Server or to distribute smart tags via Web. The "Smart Tag" tab of the AutoCatomorphism ("Tool" tab in Office XP application also contains an "Other Intelligent Tag" button, allowing The user downloads new smart tags from Microsoft. Administrators can close the "Other Intelligence Tag" feature or use the management policy to redirect it to a server in your own network.
Many organizations want to use a third party or internal development of intelligent tags. Microsoft strongly recommends digital signatures for these intelligent tags through certification authorities such as VeriSign (English).
Update intelligent tag
A document containing smart tags will contain XML data islands that identify smart tag identifiable strings. Another data island typically contains properties called "Download Position URL", and smart tag developers can direct users to this URL so they get updated intelligent tags. Network administrators can overwrite this URL using the management policy to direct all smart tag requests to other locations. When the user is behind a firewall, it is usually treated. Network administrators put the user's smart tag on the server in the firewall, so as not to download the external code and have a potentially harmful code.
Security consideration
After deploying a smart tag, the user can also control the how to work in the computer system through the settings in Microsoft Word 2002, Excel 2002, and Outlook® 2002. These settings belong to macro security settings, which can be found in the macro security settings under the Tools | Mobs | Security ... menu.
Macro Level Figure 1 shows the Security Level dialog. This setting is used to determine the security level of the application: "low", "in" or "high". Figure 1: The Security Level dialog Reliable Source Figure 2 shows the Reliable Source dialog. If you select the Trust All Installation and Template check box in the Reliable Source tab, the application will load the user-installed custom smart tag into memory regardless of whether the smart tag DLL is signed. This check box is checked by default. If you need to enhance control, users or management policies to macro security, you can uncheck this check box. Figure 2: "Reliable Source" dialog
Trust chart
The trust chart in Table 1 explains how the Office XP process is installed in a custom smart tag installed in the user system. The way the Office XP processing system depends on the following factors:
Is there a "trust all installed add-on and templates? This setting is selected by default. Does the smart mark are signing it by digital? Microsoft strongly recommends that all developers sign the smart tag through a certificate authority (such as VeriSign). Does the smart mark come from a reliable source? The application can identify that the user or administrator identified as a reliable source. This can be the user's own organization (for internal development of smart tags), or other companies (such as Microsoft).
result
Based on these settings, Office XP processes smart tags in one of the following methods. Office XP will:
Do not give a prompt to load the smart tag to memory smart tag to load to memory without user interference, nor is it prompted. The display digital signature prompts ask if the user accepts a smart tag that has been signed. The dialog contains a checkbox that allows the user to identify the source of this smart tag to future trusted sources. The dialog is also used for all digital signatures, which is not unique to the smart tag. Do not load smart tags to memory smart tags without loading. This is a prompt process, no user confirmation, nor does it display the dialog box. Prompt User Enable Macro This dialog warn user current documentation with macro. Users can choose to enable macros in the current document, which will load smart tags to memory; or choose to disable macros and do not load smart tags. This dialog is seen every time you open a document that contains your smart tag, unless the user changes the security settings. Table 1: Trust chart
Confidentiality
In addition to considering the contents of the documentation that enters the organization, the user and administrator must consider its confidentiality when the document is transmitted between the user or the organization. Although smart tags generally do not endanger confidentiality, it is important to accurately understand the information species transmitted by using intelligent tags and how to control data transmission when needed.
Intelligent marker persistence
When transmitting a document containing a smart tag by email, network, or other media, the executable code does not transmit. The code is only executed when the smart tag is installed on the computer and view the document on the computer. The intelligent tag is transmitted with the actual document is only an XML data island, which is used to identify the text of the intelligent tag that can be identified. In some cases, the identified information may be confidential. For example, an organization has a smart tag that can identify its client name, and the customer list is not disclosed, so that for documents that are distributed to the organization, it is desired to disable the smart tag. This is achieved by closing the Embed Smart Tag check box in your application. The location of this check box is as follows:
Microsoft Word 2002 is in the Tools | Options | Saves tab. See Figure 3. Microsoft Excel 2002 is in the Tools | Auto Correct Options | Intelligent Tags tab. See Figure 4. Microsoft Outlook 2002 uses Word as the default mail editor to create new emails. Then click the "Tool" | Options "button in the" General "tab, in the General tab, uncheck" Save Smart Tags in Emails ". See Figure 5. If these options are disabled, the smart tag data will not transfer with documentation. Figure 3: Word 2002 Embedded Smart Tag Options Figure 4: Embedded Smart Tags in Excel 2002 Workbook Figure 5: Outlook 2002 Save Smart Tag Options in Email
Recipient experience
In fact, if you send a smart tag from one user to another by document, the document recipient's experience depends on its local security settings and installed intelligent tags. When the user encounters a smart tag that identifies text in the document, it is usually seen that the identified text with a small underting line is seen. If the user puts the cursor on the underscore, the smart tag icon will appear. When you click this button, you will list the list of operations associated with the smart tag. If the smart tag has an associated "Download Location URL" property, these operations will contain a "check new operation". Note, please note that if the smart tag is not operated, there is no "Download Position URL" property, the user will not see the underscore or smart tag operation button. However, this does not mean that there is no intelligent tag in the document. Instead, documentation may still contain XML data islands containing smart tag metadata. The confidentiality chart explained in detail.
Confidentiality chart
Table 2 shows the confidential chart. Various confidentiality settings will affect the embedded mode of intelligent markers in documents, which helps developers understand the privacy problem when using intelligent tags.
Set
The following settings will affect the embedded ways of smart tags in the document, as well as the recipient's user experience:
Is there a tag in the "Embed Smart Tag" checkbox? Whether to select the "Embed Smart Tag" checkbox. Does the intelligent mark have associated operations? Whether any operation is associated with the smart tag. Smart tags are only used to identify text without providing any visible user operations. Does the smart mark have the "Download Position URL" attribute? The smart mark has the associated "download location URL". This property is set during the design of the smart tag. result
According to the user's confidentiality settings and installed intelligent tags, the following behavior may have an impact on the experience of confidentiality and document recipients:
The XML data island specifying the text is embedded in the documentation in the XML Embedded document. When the recipient opens a document, you will see a smart tag text with underscore. If the smart tag identifies the text in the document, the text will be underlined, and the smart tag button is displayed when the cursor is placed on the text. The recipient can use the corresponding operation Click the Smart Tag button, all the available operations of the smart tag will appear in the drop-down menu. Recipients can display "Check New Actions" in the "Check New Operation" drop-down menu. No, any of the above documents do not include smart tags or XML tags associated with intelligent tags.
Table 2: Confidentiality chart
Other considerations
performance
The smart tag identifier runs in the background thread. So they don't affect the user's input or application. Text passes from the application to these identivers. When the smart tag is run, the list of identified text is saved in memory. To determine the text that first makes smart tags, Word uses the algorithm similar to the spell inspector. Excel checks the smart tag identification only when the cell is selected, each checks a cell. That is to say, the text of the visible part of the spreadsheet has the highest priority so that users do not have to wait for intelligent tags.
If multiple identifiers are installed, their execution order is arbitrary. Developers should avoid creating identifiers that have been depends on database connection or web access as much as possible because they are not available. If the identifier dependent on this function is slow, it will hinder the operation of other recognizers.
Conflict
When creating a smart tag, developers should also realize that there is a possibility of recognition conflicts. Smart tag developers need to define an XML namespace for custom smart tags. This ensures that the independence between the custom intelligent tag is guaranteed.
First, it is very likely that two intelligent tags will identify the same text as the case of two different intelligent tag types. For example, "GREAL" may be identified simultaneously as the company name type and chemical type. At this point, both smart tags will identify the text and provide a cascade menu to the user so that the user selects the intelligent tag to be executed.
There may also occur cases of two identifiers identify overlapping text. For example, it is assumed that there are two recognizers: "identifier A" and "identifier B". The recognizer A identifies the "123 street, D unit" as "street name" intelligent tag, and the recognizer B identifies "123th Street" as "street name" intelligent tag. At this time, two identifiers identify overlap areas as the same type, and users can only select and accept one of the smart tags. Note that in Excel, the identifier only recognizes the entire content in the cell.
the best solution
Microsoft proposes the following suggestions to the organization that uses intelligent tags and attention security issues:
Digital signature for smart tag DLLs (including smart tag development) during any development process, should digitally sign the COM DLL as a standard step. With proper macro security settings For most settings, the default settings provide sufficient security. If a higher security control level is required, remove the "Trust All Installations and Templates" check box and set the macro level to "high" or "in". Managing confidentiality If your organization uses a smart tag to identify sensitive data, turn off smart tags embedded in all documents with external communication. The organization that is redirected in the firewall to install a firewall can consider setting a local distribution point for all intelligent tags in the firewall. Use the policy template to direct the Download Position URL and the "Check New Smart Tag" function to this location. to sum up
Users and administrators pay more and more attention to security issues. Microsoft has taken some good measures to help administrators manage network security issues. These include "digital signature" support, policy templates, and security settings in Office applications. Intelligent markers have been working well in this security environment because there is no real code to transmit together with the intelligent tag. In addition, end users can also use Office XP to control many of the functions of intelligent tags, so smart tags do not provide malicious code to enter the environment. Despite this, the administrator still needs to be cautious in managing network security. Therefore, it is necessary to understand the concept of intelligent tags, which is the benefits of the application environment and the benefits to the enterprise environment.